---
title: Open Source Deployment
---

This guide will walk you through running Daytona Open Source locally using Docker Compose.

The compose file can be found in the [docker](https://github.com/daytonaio/daytona/tree/main/docker) folder of the Daytona repository.

:::caution

- This setup is still in development and is **not safe to use in production**
- A separate deployment guide will be provided for production scenarios
  :::

## Overview

The Docker Compose configuration includes all the necessary services to run Daytona:

- **API**: Main Daytona application server
- **Proxy**: Request proxy service
- **Runner**: Service that hosts the Daytona Runner
- **SSH Gateway**: Service that handles sandbox SSH access
- **Database**: PostgreSQL database for data persistence
- **Redis**: In-memory data store for caching and sessions
- **Dex**: OIDC authentication provider
- **Registry**: Docker image registry with web UI
- **MinIO**: S3-compatible object storage
- **MailDev**: Email testing service
- **Jaeger**: Distributed tracing
- **PgAdmin**: Database administration interface

## Quick Start

1. Clone the [Daytona repository](https://github.com/daytonaio/daytona)
2. [Install Docker and Docker Compose](https://docs.docker.com/get-docker/)
3. Run the following command (from the root of the Daytona repo) to start all services:

   ```bash
   docker compose -f docker/docker-compose.yaml up -d
   ```

4. Access the services:
   - Daytona Dashboard: http://localhost:3000
     - Access Credentials: dev@daytona.io `password`
     - Make sure that the default snapshot is active at http://localhost:3000/dashboard/snapshots
   - PgAdmin: http://localhost:5050
   - Registry UI: http://localhost:5100
   - MinIO Console: http://localhost:9001 (minioadmin / minioadmin)

## DNS Setup for Proxy URLs

For local development, you need to resolve `*.proxy.localhost` domains to `127.0.0.1`:

```bash
./scripts/setup-proxy-dns.sh
```

This configures dnsmasq with `address=/proxy.localhost/127.0.0.1`.

**Without this setup**, SDK examples and direct proxy access won't work.

## Development Notes

- The setup uses shared networking for simplified service communication
- Database and storage data is persisted in Docker volumes
- The registry is configured to allow image deletion for testing
- Sandbox resource limits are disabled due to inability to partition cgroups in DinD environment where the sock is not mounted

## Additional Network Options

### HTTP Proxy

To configurate an outbound HTTP proxy for the Daytona services, you can set the following environment variables in the `docker-compose.yaml` file for each service that requires proxy access (the API service is the only that requires outbound access to pull images):

- `HTTP_PROXY`: URL of the HTTP proxy server
- `HTTPS_PROXY`: URL of the HTTPS proxy server
- `NO_PROXY`: Comma-separated list of hostnames or IP addresses that should bypass the proxy

The baseline configuration for the API service should be as follows:

```yaml
environment:
  - HTTP_PROXY=<your-proxy>
  - HTTPS_PROXY=<your-proxy>
  - NO_PROXY=localhost,runner,dex,registry,minio,jaeger,otel-collector,<your-proxy>
```

### Extra CA Certificates

To configure extra CA certificates (for example, paired with `DB_TLS` env vars), set the following environment variable in the API service:

```yaml
environment:
  - NODE_EXTRA_CA_CERTS=/path/to/your/cert-bundle.pembundle
```

The provided file is a cert bundle. Meaning it can contain multiple CA certificates in PEM format.

## Environment Variables

You can customize the deployment by modifying environment variables in the `docker-compose.yaml` file.
Below is a full list of environment variables with their default values:

### API Service

| Variable                                   | Type    | Default Value                                        | Description                                                                                          |
| ------------------------------------------ | ------- | ---------------------------------------------------- | ---------------------------------------------------------------------------------------------------- |
| `PORT`                                     | number  | `3000`                                               | API service port                                                                                     |
| `DB_HOST`                                  | string  | `db`                                                 | PostgreSQL database hostname                                                                         |
| `DB_PORT`                                  | number  | `5432`                                               | PostgreSQL database port                                                                             |
| `DB_USERNAME`                              | string  | `user`                                               | PostgreSQL database username                                                                         |
| `DB_PASSWORD`                              | string  | `pass`                                               | PostgreSQL database password                                                                         |
| `DB_DATABASE`                              | string  | `daytona`                                            | PostgreSQL database name                                                                             |
| `DB_TLS_ENABLED`                           | boolean | `false`                                              | Enable TLS for database connection                                                                   |
| `DB_TLS_REJECT_UNAUTHORIZED`               | boolean | `true`                                               | Reject unauthorized TLS certificates                                                                 |
| `REDIS_HOST`                               | string  | `redis`                                              | Redis server hostname                                                                                |
| `REDIS_PORT`                               | number  | `6379`                                               | Redis server port                                                                                    |
| `OIDC_CLIENT_ID`                           | string  | `daytona`                                            | OIDC client identifier                                                                               |
| `OIDC_ISSUER_BASE_URL`                     | string  | `http://dex:5556/dex`                                | OIDC issuer base URL                                                                                 |
| `PUBLIC_OIDC_DOMAIN`                       | string  | `http://localhost:5556/dex`                          | Public OIDC domain                                                                                   |
| `OIDC_AUDIENCE`                            | string  | `daytona`                                            | OIDC audience identifier                                                                             |
| `OIDC_MANAGEMENT_API_ENABLED`              | boolean | (empty)                                              | Enable OIDC management API                                                                           |
| `OIDC_MANAGEMENT_API_CLIENT_ID`            | string  | (empty)                                              | OIDC management API client ID                                                                        |
| `OIDC_MANAGEMENT_API_CLIENT_SECRET`        | string  | (empty)                                              | OIDC management API client secret                                                                    |
| `OIDC_MANAGEMENT_API_AUDIENCE`             | string  | (empty)                                              | OIDC management API audience                                                                         |
| `DEFAULT_SNAPSHOT`                         | string  | `daytonaio/sandbox:0.4.3`                            | Default sandbox snapshot image                                                                       |
| `DASHBOARD_URL`                            | string  | `http://localhost:3000/dashboard`                    | Dashboard URL                                                                                        |
| `DASHBOARD_BASE_API_URL`                   | string  | `http://localhost:3000`                              | Dashboard base API URL                                                                               |
| `POSTHOG_API_KEY`                          | string  | `phc_bYtEsdMDrNLydXPD4tufkBrHKgfO2zbycM30LOowYNv`    | PostHog API key for analytics                                                                        |
| `POSTHOG_HOST`                             | string  | `https://d18ag4dodbta3l.cloudfront.net`              | PostHog host URL                                                                                     |
| `POSTHOG_ENVIRONMENT`                      | string  | `local`                                              | PostHog environment identifier                                                                       |
| `TRANSIENT_REGISTRY_URL`                   | string  | `http://registry:6000`                               | Transient registry URL                                                                               |
| `TRANSIENT_REGISTRY_ADMIN`                 | string  | `admin`                                              | Transient registry admin username                                                                    |
| `TRANSIENT_REGISTRY_PASSWORD`              | string  | `password`                                           | Transient registry admin password                                                                    |
| `TRANSIENT_REGISTRY_PROJECT_ID`            | string  | `daytona`                                            | Transient registry project ID                                                                        |
| `INTERNAL_REGISTRY_URL`                    | string  | `http://registry:6000`                               | Internal registry URL                                                                                |
| `INTERNAL_REGISTRY_ADMIN`                  | string  | `admin`                                              | Internal registry admin username                                                                     |
| `INTERNAL_REGISTRY_PASSWORD`               | string  | `password`                                           | Internal registry admin password                                                                     |
| `INTERNAL_REGISTRY_PROJECT_ID`             | string  | `daytona`                                            | Internal registry project ID                                                                         |
| `SMTP_HOST`                                | string  | `maildev`                                            | SMTP server hostname                                                                                 |
| `SMTP_PORT`                                | number  | `1025`                                               | SMTP server port                                                                                     |
| `SMTP_USER`                                | string  | (empty)                                              | SMTP username                                                                                        |
| `SMTP_PASSWORD`                            | string  | (empty)                                              | SMTP password                                                                                        |
| `SMTP_SECURE`                              | boolean | (empty)                                              | Enable SMTP secure connection                                                                        |
| `SMTP_EMAIL_FROM`                          | string  | `"Daytona Team <no-reply@daytona.io>"`               | SMTP sender email address                                                                            |
| `S3_ENDPOINT`                              | string  | `http://minio:9000`                                  | S3-compatible storage endpoint                                                                       |
| `S3_STS_ENDPOINT`                          | string  | `http://minio:9000/minio/v1/assume-role`             | S3 STS endpoint                                                                                      |
| `S3_REGION`                                | string  | `us-east-1`                                          | S3 region                                                                                            |
| `S3_ACCESS_KEY`                            | string  | `minioadmin`                                         | S3 access key                                                                                        |
| `S3_SECRET_KEY`                            | string  | `minioadmin`                                         | S3 secret key                                                                                        |
| `S3_DEFAULT_BUCKET`                        | string  | `daytona`                                            | S3 default bucket name                                                                               |
| `S3_ACCOUNT_ID`                            | string  | `/`                                                  | S3 account ID                                                                                        |
| `S3_ROLE_NAME`                             | string  | `/`                                                  | S3 role name                                                                                         |
| `ENVIRONMENT`                              | string  | `dev`                                                | Application environment                                                                              |
| `MAX_AUTO_ARCHIVE_INTERVAL`                | number  | `43200`                                              | Maximum auto-archive interval (seconds)                                                              |
| `OTEL_ENABLED`                             | boolean | `true`                                               | Enable OpenTelemetry tracing                                                                         |
| `OTEL_COLLECTOR_URL`                       | string  | `http://jaeger:4318/v1/traces`                       | OpenTelemetry collector URL                                                                          |
| `MAINTENANCE_MODE`                         | boolean | `false`                                              | Enable maintenance mode                                                                              |
| `PROXY_DOMAIN`                             | string  | `proxy.localhost:4000`                               | Proxy domain                                                                                         |
| `PROXY_PROTOCOL`                           | string  | `http`                                               | Proxy protocol                                                                                       |
| `PROXY_API_KEY`                            | string  | `super_secret_key`                                   | Proxy API key                                                                                        |
| `PROXY_TEMPLATE_URL`                       | string  | `http://{{PORT}}-{{sandboxId}}.proxy.localhost:4000` | Proxy template URL pattern                                                                           |
| `PROXY_TOOLBOX_BASE_URL`                   | string  | `{PROXY_PROTOCOL}://{PROXY_DOMAIN}`                  | Proxy base URL for toolbox requests                                                                  |
| `DEFAULT_RUNNER_DOMAIN`                    | string  | `runner:3003`                                        | Default runner domain                                                                                |
| `DEFAULT_RUNNER_API_URL`                   | string  | `http://runner:3003`                                 | Default runner API URL                                                                               |
| `DEFAULT_RUNNER_PROXY_URL`                 | string  | `http://runner:3003`                                 | Default runner proxy URL                                                                             |
| `DEFAULT_RUNNER_API_KEY`                   | string  | `secret_api_token`                                   | Default runner API key                                                                               |
| `DEFAULT_RUNNER_CPU`                       | number  | `4`                                                  | Default runner CPU allocation                                                                        |
| `DEFAULT_RUNNER_MEMORY`                    | number  | `8`                                                  | Default runner memory allocation (GB)                                                                |
| `DEFAULT_RUNNER_DISK`                      | number  | `50`                                                 | Default runner disk allocation (GB)                                                                  |
| `DEFAULT_RUNNER_GPU`                       | number  | `0`                                                  | Default runner GPU allocation                                                                        |
| `DEFAULT_RUNNER_GPU_TYPE`                  | string  | `none`                                               | Default runner GPU type                                                                              |
| `DEFAULT_RUNNER_CAPACITY`                  | number  | `100`                                                | Default runner capacity                                                                              |
| `DEFAULT_RUNNER_CLASS`                     | string  | `small`                                              | Default runner class                                                                                 |
| `DEFAULT_ORG_QUOTA_TOTAL_CPU_QUOTA`        | number  | `10000`                                              | Default organization total CPU quota                                                                 |
| `DEFAULT_ORG_QUOTA_TOTAL_MEMORY_QUOTA`     | number  | `10000`                                              | Default organization total memory quota                                                              |
| `DEFAULT_ORG_QUOTA_TOTAL_DISK_QUOTA`       | number  | `100000`                                             | Default organization total disk quota                                                                |
| `DEFAULT_ORG_QUOTA_MAX_CPU_PER_SANDBOX`    | number  | `100`                                                | Default organization max CPU per sandbox                                                             |
| `DEFAULT_ORG_QUOTA_MAX_MEMORY_PER_SANDBOX` | number  | `100`                                                | Default organization max memory per sandbox                                                          |
| `DEFAULT_ORG_QUOTA_MAX_DISK_PER_SANDBOX`   | number  | `1000`                                               | Default organization max disk per sandbox                                                            |
| `DEFAULT_ORG_QUOTA_SNAPSHOT_QUOTA`         | number  | `1000`                                               | Default organization snapshot quota                                                                  |
| `DEFAULT_ORG_QUOTA_MAX_SNAPSHOT_SIZE`      | number  | `1000`                                               | Default organization max snapshot size                                                               |
| `DEFAULT_ORG_QUOTA_VOLUME_QUOTA`           | number  | `10000`                                              | Default organization volume quota                                                                    |
| `SSH_GATEWAY_API_KEY`                      | string  | `ssh_secret_api_token`                               | SSH gateway API key                                                                                  |
| `SSH_GATEWAY_COMMAND`                      | string  | `ssh -p 2222 {{TOKEN}}@localhost`                    | SSH gateway command template                                                                         |
| `RUNNER_DECLARATIVE_BUILD_SCORE_THRESHOLD` | number  | `10`                                                 | Runner declarative build score threshold                                                             |
| `RUNNER_AVAILABILITY_SCORE_THRESHOLD`      | number  | `10`                                                 | Runner availability score threshold                                                                  |
| `RUNNER_HEALTH_TIMEOUT_SECONDS`            | number  | `3`                                                  | Runner health-check timeout in seconds                                                               |
| `RUN_MIGRATIONS`                           | boolean | `true`                                               | Enable database migrations on startup                                                                |
| `ADMIN_API_KEY`                            | string  | (empty)                                              | Admin API key, auto-generated if empty, used only upon initial setup, not recommended for production |
| `ADMIN_TOTAL_CPU_QUOTA`                    | number  | `0`                                                  | Admin total CPU quota, used only upon initial setup                                                  |
| `ADMIN_TOTAL_MEMORY_QUOTA`                 | number  | `0`                                                  | Admin total memory quota, used only upon initial setup                                               |
| `ADMIN_TOTAL_DISK_QUOTA`                   | number  | `0`                                                  | Admin total disk quota, used only upon initial setup                                                 |
| `ADMIN_MAX_CPU_PER_SANDBOX`                | number  | `0`                                                  | Admin max CPU per sandbox, used only upon initial setup                                              |
| `ADMIN_MAX_MEMORY_PER_SANDBOX`             | number  | `0`                                                  | Admin max memory per sandbox, used only upon initial setup                                           |
| `ADMIN_MAX_DISK_PER_SANDBOX`               | number  | `0`                                                  | Admin max disk per sandbox, used only upon initial setup                                             |
| `ADMIN_SNAPSHOT_QUOTA`                     | number  | `100`                                                | Admin snapshot quota, used only upon initial setup                                                   |
| `ADMIN_MAX_SNAPSHOT_SIZE`                  | number  | `100`                                                | Admin max snapshot size, used only upon initial setup                                                |
| `ADMIN_VOLUME_QUOTA`                       | number  | `0`                                                  | Admin volume quota, used only upon initial setup                                                     |
| `SKIP_USER_EMAIL_VERIFICATION`             | boolean | `true`                                               | Skip user email verification process                                                                 |
| `RATE_LIMIT_ANONYMOUS_TTL`                 | number  | (empty)                                              | Anonymous rate limit time-to-live (seconds, empty - rate limit is disabled)                          |
| `RATE_LIMIT_ANONYMOUS_LIMIT`               | number  | (empty)                                              | Anonymous rate limit (requests per TTL, empty - rate limit is disabled)                              |
| `RATE_LIMIT_AUTHENTICATED_TTL`             | number  | (empty)                                              | Authenticated rate limit time-to-live (seconds, empty - rate limit is disabled)                      |
| `RATE_LIMIT_AUTHENTICATED_LIMIT`           | number  | (empty)                                              | Authenticated rate limit (requests per TTL, empty - rate limit is disabled)                          |
| `RATE_LIMIT_SANDBOX_CREATE_TTL`            | number  | (empty)                                              | Sandbox create rate limit time-to-live (seconds, empty - rate limit is disabled)                     |
| `RATE_LIMIT_SANDBOX_CREATE_LIMIT`          | number  | (empty)                                              | Sandbox create rate limit (requests per TTL, empty - rate limit is disabled)                         |
| `RATE_LIMIT_SANDBOX_LIFECYCLE_TTL`         | number  | (empty)                                              | Sandbox lifecycle rate limit time-to-live (seconds, empty - rate limit is disabled)                  |
| `RATE_LIMIT_SANDBOX_LIFECYCLE_LIMIT`       | number  | (empty)                                              | Sandbox lifecycle rate limit (requests per TTL, empty - rate limit is disabled)                      |
| `DEFAULT_REGION_ID`                        | string  | `us`                                                 | Default region ID                                                                                    |
| `DEFAULT_REGION_NAME`                      | string  | `us`                                                 | Default region name                                                                                  |
| `DEFAULT_REGION_ENFORCE_QUOTAS`            | boolean | `false`                                              | Enable region-based resource limits for default region                                               |

### Runner

| Variable                    | Type    | Default Value                     | Description                           |
| --------------------------- | ------- | --------------------------------- | ------------------------------------- |
| `VERSION`                   | string  | `0.0.1`                           | Runner service version                |
| `ENVIRONMENT`               | string  | `development`                     | Application environment               |
| `API_PORT`                  | number  | `3003`                            | Runner API service port               |
| `API_TOKEN`                 | string  | `secret_api_token`                | Runner API authentication token       |
| `LOG_FILE_PATH`             | string  | `/home/daytona/runner/runner.log` | Path to runner log file               |
| `RESOURCE_LIMITS_DISABLED`  | boolean | `true`                            | Disable resource limits for sandboxes |
| `AWS_ENDPOINT_URL`          | string  | `http://minio:9000`               | AWS S3-compatible storage endpoint    |
| `AWS_REGION`                | string  | `us-east-1`                       | AWS region                            |
| `AWS_ACCESS_KEY_ID`         | string  | `minioadmin`                      | AWS access key ID                     |
| `AWS_SECRET_ACCESS_KEY`     | string  | `minioadmin`                      | AWS secret access key                 |
| `AWS_DEFAULT_BUCKET`        | string  | `daytona`                         | AWS default bucket name               |
| `SERVER_URL`                | string  | `http://api:3000/api`             | Daytona API server URL                |
| `DAEMON_START_TIMEOUT_SEC`  | number  | `60`                              | Daemon start timeout in seconds       |
| `SANDBOX_START_TIMEOUT_SEC` | number  | `30`                              | Sandbox start timeout in seconds      |

### SSH Gateway

| Variable           | Type   | Default Value                        | Description                |
| ------------------ | ------ | ------------------------------------ | -------------------------- |
| `API_URL`          | string | `http://api:3000/api`                | Daytona API URL            |
| `API_KEY`          | string | `ssh_secret_api_token`               | API authentication key     |
| `SSH_PRIVATE_KEY`  | string | (Base64-encoded OpenSSH private key) | SSH private key for auth   |
| `SSH_HOST_KEY`     | string | (Base64-encoded OpenSSH host key)    | SSH host key for server    |
| `SSH_GATEWAY_PORT` | number | `2222`                               | SSH gateway listening port |

### Proxy

| Variable                  | Type    | Default Value               | Description                     |
| ------------------------- | ------- | --------------------------- | ------------------------------- |
| `DAYTONA_API_URL`         | string  | `http://api:3000/api`       | Daytona API URL                 |
| `PROXY_PORT`              | number  | `4000`                      | Proxy service port              |
| `PROXY_DOMAIN`            | string  | `proxy.localhost:4000`      | Proxy domain                    |
| `PROXY_API_KEY`           | string  | `super_secret_key`          | Proxy API authentication key    |
| `PROXY_PROTOCOL`          | string  | `http`                      | Proxy protocol (http or https)  |
| `COOKIE_DOMAIN`           | string  | `$PROXY_DOMAIN`             | Cookie domain for proxy cookies |
| `OIDC_CLIENT_ID`          | string  | `daytona`                   | OIDC client identifier          |
| `OIDC_CLIENT_SECRET`      | string  | (empty)                     | OIDC client secret              |
| `OIDC_DOMAIN`             | string  | `http://dex:5556/dex`       | OIDC domain                     |
| `OIDC_PUBLIC_DOMAIN`      | string  | `http://localhost:5556/dex` | OIDC public domain              |
| `OIDC_AUDIENCE`           | string  | `daytona`                   | OIDC audience identifier        |
| `REDIS_HOST`              | string  | `redis`                     | Redis server hostname           |
| `REDIS_PORT`              | number  | `6379`                      | Redis server port               |
| `TOOLBOX_ONLY_MODE`       | boolean | `false`                     | Allow only toolbox requests     |
| `PREVIEW_WARNING_ENABLED` | boolean | `false`                     | Enable browser preview warning  |
| `SHUTDOWN_TIMEOUT_SEC`    | number  | `3600`                      | Shutdown timeout in seconds     |

## [OPTIONAL] Configure Auth0 for Authentication

The default compose setup uses a local Dex OIDC provider for authentication. However, you can configure Auth0 as an alternative OIDC provider by following these steps:

### Step 1: Create Your Auth0 Tenant

Begin by navigating to https://auth0.com/signup and start the signup process. Choose your account type based on your use case - select `Company` for business applications or `Personal` for individual projects.\
On the "Let's get setup" page, you'll need to enter your application name such as `My Daytona` and select `Single Page Application (SPA)` as the application type. For authentication methods, you can start with `Email and Password` since additional social providers like Google, GitHub, or Facebook can be added later. Once you've configured these settings, click `Create Application` in the bottom right corner.

### Step 2: Configure Your Single Page Application

Navigate to `Applications` > `Applications` in the left sidebar and select the application you just created. Click the `Settings` tab and scroll down to find the `Application URIs` section where you'll configure the callback and origin URLs.
In the `Allowed Callback URIs` field, add the following URLs:

```
http://localhost:3000
http://localhost:3000/api/oauth2-redirect.html
http://localhost:4000/callback
http://proxy.localhost:4000/callback
```

For `Allowed Logout URIs`, add:

```
http://localhost:3000
```

And for `Allowed Web Origins`, add:

```
http://localhost:3000
```

Remember to click `Save Changes` at the bottom of the page to apply these configurations.

### Step 3: Create Machine-to-Machine Application

You'll need a Machine-to-Machine application to interact with Auth0's Management API. Go to `Applications` > `Applications` and click `Create Application`. Choose `Machine to Machine Applications` as the type and provide a descriptive name like `My Management API M2M`.
After creating the application, navigate to the `APIs` tab within your new M2M application. Find and authorize the `Auth0 Management API` by clicking the toggle or authorize button.\
Once authorized, click the dropdown arrow next to the Management API to configure permissions. Grant the following permissions to your M2M application:

```
read:users
update:users
read:connections
create:guardian_enrollment_tickets
read:connections_options
```

Click `Save` to apply these permission changes.

### Step 4: Set Up Custom API

Your Daytona application will need a custom API to handle authentication and authorization. Navigate to `Applications` > `APIs` in the left sidebar and click `Create API`. Enter a descriptive name such as `My Daytona API` and provide an identifier like `my-daytona-api`. The identifier should be a unique string that will be used in your application configuration.\
After creating the API, go to the `Permissions` tab to define the scopes your application will use. Add each of the following permissions with their corresponding descriptions:

| Permission                  | Description                              |
| --------------------------- | ---------------------------------------- |
| `read:node`                 | Get workspace node info                  |
| `create:node`               | Create new workspace node record         |
| `create:user`               | Create user account                      |
| `read:users`                | Get all user accounts                    |
| `regenerate-key-pair:users` | Regenerate user SSH key-pair             |
| `read:workspaces`           | Read workspaces (user scope)             |
| `create:registry`           | Create a new docker registry auth record |
| `read:registries`           | Get all docker registry records          |
| `read:registry`             | Get docker registry record               |
| `write:registry`            | Create or update docker registry record  |

### Step 5: Configure Environment Variables

Once you've completed all the Auth0 setup steps, you'll need to configure environment variables in your Daytona deployment. These variables connect your application to the Auth0 services you've just configured.

#### Finding Your Configuration Values

You can find the necessary values in the Auth0 dashboard. For your SPA application settings, go to `Applications` > `Applications`, select your SPA app, and click the `Settings` tab. For your M2M application, follow the same path but select your Machine-to-Machine app instead. Custom API settings are located under `Applications` > `APIs`, then select your custom API and go to `Settings`.

#### API Service Configuration

Configure the following environment variables for your API service:

```bash
OIDC_CLIENT_ID=your_spa_app_client_id
OIDC_ISSUER_BASE_URL=your_spa_app_domain
OIDC_AUDIENCE=your_custom_api_identifier
OIDC_MANAGEMENT_API_ENABLED=true
OIDC_MANAGEMENT_API_CLIENT_ID=your_m2m_app_client_id
OIDC_MANAGEMENT_API_CLIENT_SECRET=your_m2m_app_client_secret
OIDC_MANAGEMENT_API_AUDIENCE=your_auth0_managment_api_identifier
```

#### Proxy Service Configuration

For your proxy service, configure these environment variables:

```bash
OIDC_CLIENT_ID=your_spa_app_client_id
OIDC_CLIENT_SECRET=
OIDC_DOMAIN=your_spa_app_domain
OIDC_AUDIENCE=your_custom_api_identifier (with trailing slash)
```

Note that `OIDC_CLIENT_SECRET` should remain empty for your proxy environment.
